My OpenID Shitlist, Hitlist and Wishlist for 2008

OpenID hitlist

Update: I’ve posted an update to these lists, giving props to Yahoo, Google, PBWiki and Drupal for embracing OpenID.

I believe in the power of community to drive change, and I believe that peer pressure can be a great motivator. I also believe that shaming can be an equally powerful motivator, if used lovingly and when an “out” is provided.

In this case, that “out” is adding support for consuming OpenIDs, not just being an identity provider.

With that in mind, I thought I’d throw out my OpenID Shitlist, Hitlist and Wishlist with the hope that a little sunlight might cause the previously planted seeds to finally sprout. Since OpenID 2.0 is now out, these folks really have very little excuse not to get on board and make this happen (limited developer resources notwithstanding).

So, without further ado:

My Shitlist

Last February, at the Future of Web Apps in London, there was an orgy of OpenID announcements.

The point of my Shitlist is to publicly shame folks who have previously promised (or strongly indicated an intent) to adopt and add support for OpenID but who have failed, thus far, to do so. I invite them to redeem themselves by making good on their promises. I won’t hold it against them, but hey, it’s their word on the line.

  • Digg.com. I’d consider myself personal friends with the Digg folks. I like Daniel, Kevin and Owen. I think they do great work and that Digg is one of the most influential synaptic centers of the net. But Digg tops my shitlist because of a very important 10 seconds of speech that Kevin offered on stage, and which was covered by Om and TechCrunch. He said, and I quote: And then we also want to announce today, uh, support for OpenID. So we will be, uh, rolling out OpenID here in the next few months. That’s gunna be cool. Listen to it yourself. Did this ever happen? Nu uh. Still waiting. Hmmph!
  • NetVibes. NetVibes remains one of the more innovative, more “open source like” rich internet desktops out there. Tariq‘s a friend. But, like Digg, when you make promises (scroll down to Tariq Krim) to do something and months and months later you haven’t made good on your word, well, you end up in my shitlist.
  • Last.fm. Now, I’m going out on a limb here. I have a strong recollection that Last.fm was the third company to promise OpenID support at FOWA, but for the life of me, I can hardly find a reference (besides this: “So what was the buzz at this years FOWA London? Two things resonated to me more than anything in the conference. OpenID and attention data. All of the key players from digg to Netvibes, Last.FM to Arrington touched on, commented or made announcements in these arenas.” — hat tip to JP), and in the recording of their session, they make nary a mention. Now, I’m pretty sure they said something about it, but I don’t have proof. Last.fm needs OpenID regardless, so if someone can backup or discredit my memory, I’m happy to move them to a more appropriate list.
  • PBWiki. I’m a fan of PBWiki, the hosted wiki service. They’re a good friend to the BarCamp and Twitter communities and are my first choice when I need a wiki and don’t want the hassle of setting up and maintaining my own. The oldest email I could find when I first approached David, Nathan and Ramit with a request to support OpenID was July 30, 2006. I’ve badgered them consistently since then, receiving various assurances that they’d work on it. And without directly calling bullshit, I do wonder why their own Auth API hasn’t been made to be OpenID compliant when there have been so many other significant improvements made. I know that nerds aren’t their top priority (nor their biggest money-makers by a long shot) but maybe we can hack it in at the next SHDH?
  • MyBlogLog. I suppose things change when you get absorbed by a massive corporation that requires a consistent terms of service. Or else it seems plausible that the early indications of support for OpenID might have blossomed into full fledged support. Alas, it was not to be.
  • Technorati. In October of 2006, Technorati announced support for blog claiming with OpenID. They also became an OpenID provider. So technically, they don’t deserve a full shaming. However, it’s lame that they allow you to claim your blog if it’s an OpenID, but for reasons that confound me, don’t let you actually sign in to Technorati using the same OpenID. This seems ludicrous to me and frankly, I expect more from Technorati. (And can I point out that it’s a bad sign that when I search your blog for OpenID using your search engine, nothing comes up? Huzzah!)
  • Wikipedia. Well, everyone loves Wikipedia right (that’s an uncorroborated generalization)? Well, they still belong on my shitlist. Wikipedia said they’d support it in a Google Video as early as June of 2006. They might be able to define the protocol, but they certainly don’t support it. (Reprieve: open source to the rescue! Evan Prodromou wrote the OpenID extension for Mediawiki. Now Wikipedia simply needs to adopt it!)

Hitlist

With the shitlist out of the way, I can get on to those folks who haven’t necessary made promises before, but are ripe candidates to be lobbied to add support for OpenID.

  • Satisfaction. Satisfaction has long since planned on offering OpenID (and more recently OAuth) and they tell me that it’s coming soon. With co-founders (and my friends!) Thor and Amy recently getting into a new startup they’ve named Tesla Jane, I think I can be patient for a while longer. 😉
  • Twitter. If you’re aware of the backstory of OAuth, you’ll know that it was my advocacy of OpenID for Twitter that revealed the need for a delegated authentication protocol that was compatible with OpenID. And, now that OAuth has gone 1.0 (and while we’re waiting for Twitter to roll out support for the final spec) it’d be great to also see movement on the OpenID front. I know you’ll get right on that. Heh.
  • Drupal. Bonus points go to Drupal and James Walker for rolling in support for OpenID into core for Drupal 6.0, and maybe we have to wait for the upgrade, but it’s too bad that there isn’t support on the drupal.org website. Should be an easy fix, and with the brilliant way the community devoured my recent feedback, I hope that this request is met with equal enthusiasm!
  • Plazes. Well, I’m with Tara and am pretty disappointed with where Plazes is today. Felix and Stefan are great, but the new Plazer sucks. It’s like they took a bunch of VC and lost focus. Then again, maybe I’m projecting. Anyway, it’d mean something to me if they went ahead and added support for OpenID. Better late than never.
  • Pownce. Pownce has been rocking the portable social network stuff, along with sister-site Digg (yes, the same Digg on my shitlist). The logical next step is for them to provide OpenID consumption to make the circle of portability complete!
  • Ning. Well, they already have NingID, but I really question the wisdom of proprietary authentication schemes at this point. I mean, if they’re all about niche-social-networks, wouldn’t consuming OpenIDs make so much sense to further reduce barriers to outsides coming in to play?
  • LinkedIN. These guys have been doing some great work widely adopting microformats and becoming more social-network-like. People seem to use LinkedIN as an identity aggregation point; shouldn’t they also be able to prove that they own a certain LinkedIN profile elsewhere and then verify their accounts elsewhere by logging in to LinkedIN with their other OpenIDs?
  • Slideshare. Given that Slideshare probably has the greatest collection of OpenID related presentations on the net, it’s kind of a shame that you can’t login to the site using the protocol. I know Rashmi and Jon have their hands full, but it’d be sweet to see them add support.
  • TripIt. TripIt’s awesome. Tara and I did a day of consulting with them and have been constant users ever since. What’d be great is if you could use your OpenID to login between Dopplr and TripIt — it might sound insane to them — but they really are complementary services. Tying my identity between them would save me such a hassle of having to go back and forth between them — and they’d both win!
  • Blip, Viddler, YouTube et al. This might be a pipe dream, but I do think that we could win over Blip and Viddler. YouTube, not so much. But if we lobbied each independent and got one to go, the others might follow…
  • WordPress.com. So WordPress is a funny one. They serve as an OpenID provider but don’t currently consume. If you want to enable OpenID consumption, you have to run your own blog (as I do) and use Will Norrisexcellent plugin. This isn’t necessarily a problem, but with Drupal 6.0 getting support and Blogger offering limited consumption of OpenIDs, I would have hoped that WordPress would have made the move first.
  • Pandora. Finally, and this one might just be a vanity request, but I think it’d be cool if Pandora supported OpenID, if only because it would make OpenID seem cooler.

Wishlist

So, with the more likely candidates out of the way, I’d like to turn my attention to what would be big wins for OpenID, but that are an order of magnitude harder to win over, not so much because of technology issues but because of the complexities of terms of service and other business-level issues. In any case, if we see support from these folks for OpenID in 2008, we know we’re making serious ground.

  • Facebook. I asked the question on Twitter whether people would use Facebook as their OpenID provider if they could. The overwhelming response was no. Still, of anyone, Facebook could, if they actually rebuilt people’s trust and extended the reach of their strong privacy controls with best practice OpenID support, I think it’d be a net positive thing to see Facebook official adopt OpenID. There are already two Facebook apps that enable it, so clearly someone’s interested!
  • Yahoo and its various properties: Flickr, Delicious, Upcoming. I know they’re interested, but it will take more than interest and developer intentions to make this one happen. If Yahoo gets on board, game over man, cat’s in the bag.
  • Google. With their enthusiasm for OAuth and the recognition of the problem of widespread password scraping, I think Google is realizing that their avoidance of OpenID is not paying off. With Blogger toying with support for OpenID, I think (hope!) that’s it’s only a matter of time.
  • Microsoft. Well, Bill already promised. And they’ve even shipped code, even if it’s kind of a weird approach. Like most brushes with the embrace of openness, Microsoft is probably at war with itself once again, on the one hand having elements within that want to do the right thing and on the other, for some reason, being heavily influence by holdouts from the evil empire. We’ll see what comes of this, but I’m not holding my breath, even if InfoCard is the right interface metaphor for OpenID.
  • Mozilla. I don’t know if you noticed, but Mozilla has quite a few properties strewn about. Practically every week there’s a new property launched to promote some new campaign, not to mention all the myriad community sites that crop up (i.e. UserStyles.org, thankfully an OpenID consumer!). In leiu of a top-down single sign-on solution, why not just support OpenID and get it over with and enable portable reputation within the Mozilla universe? And — once you do that — maybe start looking at integrating support into Firefox, as I asked earlier this year?
  • Trac/SVN. With OAuth, support for OpenID on the command line becomes much more feasible, even if there’s little support today. Imagine being able to use your OpenID credentials to login to any SVN repository. Being able to federate whitelists of identifiers would make cross-collaboration much more facile and I think would be a boon to independent open source development.
  • MySpace, Hi-5, Bebo, Orkut et al. I mean, we now know that is basically an overhyped widget distribution platform, but that doesn’t mean that it won’t turn into something more. Eventually the limits of siloed identities are going to run up against the cross-pollinating design of OpenSocial and logging in to Bebo with your MySpace account is not only going to make sense, but will be expected, just like I can send email from my Gmail account to Hotmail and Yahoo email users. OpenID 2.0, with directed identity, is perfectly suited to handle this particular use case and I’d love to see the early OpenSocial partners get on board sooner than later.
  • Adobe. Not even sure why this one’s in the list, but so long as I’m thinking big, it’d be sweet to see support not only on Adobe’s site for OpenID, but also in Flash apps (which I think would possibly require OAuth). Adobe has Adobe IDs already, and, as I suggested before, proprietary protocols for identity on the web make less and less sense.
  • TechCrunch. This one’s for fun. I know Mike’s a fan of big ideas and making things better, so it seems strange that, given his use of WordPress, he hasn’t demanded support for OpenID commenting yet. Perhaps we can dream.

Now that I’ve got those lists out of the way, I wanted to give summary props to folks who have already gone ahead and implemented OpenID (this is not an exhaustive list; check out the OpenID Directory for more):

Make sure to stop by these folks’ sites and try out their support for OpenID. Heck, they’ve pioneered the way forward, might as well both give them some patronage and see what user experience lessons can be had from their implementations.

And, this is by no means a finished list. It’s just a start. If you’ve got your own Shitlist, Hotlist and Wishlists, please do share them. Not only have I probably missed some folks (Amazon anyone?), but there are probably services and sites more dear to your hearts that should be embracing citizen-centric web protocols that I don’t even know about yet.

So, let me know what you think and if you want to start doing some lobbying, the best place to start is with the OpenID site itself.

Slow, steady and iterative wins the race

Consider this a cry for anti-agile, anti-hyped solutions for delivering the open social web.

I read posts like Erick Schonfeld’s “OpenSocial Still “Not Open for Business”” and I have two reactions: first, TechCrunch loves to predict the demise or tardiness of stuff but isn’t very good at playing soothsayer generally and second: there’s really no way Google could have gotten the launch of OpenSocial right. And not like my encouragement will make much difference in this case, but I’m with Google this time: just keep trucking, we’ll get there eventually.

On the first point, I’d like to jog your memory back to when TechCrunch declared Ning RIP and that Mozilla’s Coop was bad news for Flock. Let’s just say that both companies are both alive and kicking and looking better than ever. I don’t really care to pick on TechCrunch, only point out that it often doesn’t really serve much purpose to try to predict the demise of anyone before they’re really gone or to lament the latency of some brand new technology that holds great promise but has been released early.

On my second reaction, well, I have some sympathies for Google for releasing OpenSocial prematurely, before it was fully baked or before they had parity with the Facebook platform. We suffered a similar coal-raking when Flock 0.2 launched. It was literally a bunch of extensions and a theme baked on to the husk of Firefox and when people asked “hey, where’s the beef?!”, well, we had to tell them it was in the future. You can imagine how well that went over.

The point is, we kept at it. And after I left, Flock kept at it. And so just over two years after we’d released 0.2, Flock 1.0 came out, and the reviews, well, were pretty good.

Had we not released Flock 0.2 when we did and gone underground, there’s a chance we would have had more time to prove out the concepts internally before taking them to a wider and less-forgiving audience and would have avoided the excessive media buzz we unnecessarily spun up and that blew up in our face. I learned from that experience that enthusiasm isn’t enough to convince other people to be patient and to believe that you’re going to deliver. I also learned the hard way how long good technology development actually takes and that typically whatever you come out with first is going to have to be radically changed throughout the testing and iterations of any design process.

To look at what Google’s attempting to do, I can see the same kind of awe shucks, we’re changing the world kind of technical development going on. But unlike Flock’s early days, there wasn’t the same political and economic exposure that I’m amazed to see Google taking on. It’s one thing for Facebook, with its youth and bravado, to force its partners to toe whatever line it sets, and to have them build to their specifications. After all, if they don’t, their apps won’t work.

Google’s doing something slightly different and more dangerous, in that, not only are they basically building a cross-platform operating system that runs on the web itself, but they’re also having to balance the needs and passing fancies of multiple business partners involved in actually implementing the specifications to greater or lesser degrees, with varying amounts of attention and wherewithal.

Worst of all, between Facebook and Google’s platforms, we’re quickly heading down a path that leads us to a kind of stratefied Internet Explorification of the web that we haven’t seen since Firefox 1.0 came on the scene. Already we’re seeing inconsistencies between the existing OpenSocial containers and it’s only going to get worse the more adopters try to work to the unfinished specs. As for Facebook apps, well, for every Facebook app built to run inside of Facebook, that’s one less app that, today, can’t run on the Open Web and then God kills another kitten.

So the moral here is that slow and steady isn’t as sexy for the media or VCs but it typically wins races in terms of technology adoption and deployment. So I guess I can’t fault Google for releasing a little too early, but it’ll be interesting to see if it actually helps them get to a stable OpenSocial sooner. Whether it matters when they get there is a matter of debate of course, but in the meantime, hell, there’s plenty for us to do to improve the web as it is today and to solve some tricky problems that neither OpenSocial or Facebook have begun to consider. So, I’m with Doc. And I’m in it for the long haul. I’ll keep my eyes open on OpenSocial and frankly hope that it succeeds, but in the end, I’m interested developing on the best citizen-centric technology that’s going to shape the next evolution of the web.

So long as it’s open, it’s free, non-proprietary, and inclusive, well, even if it’s slow going getting it done, at least we’re not treading back in time.

OAuth 1.0, OpenID 2.0 and up next: DiSo

OFFICIAL OAuth logoIIW 2007b is now over and with its conclusion, we have two significant accomplishments, both the sum of months of hard work by some very dedicated individuals, in the release of the OpenID 2.0 and OAuth Core 1.0 specifications.

These are two important protocols that serve as a foundational unit for enabling what’s being called “user-centric identity”, or that I call “citizen-centric identity”. With OpenID for identity and authentication and OAuth for authorizing access to portions of your private data, we move ever closer to inverting the silos and providing greater mobility and freedom of choice, restoring the balance in the marketplace and elevating the level of competition by enabling the production of more compelling social applications without requiring the huge investment it takes to recreate even a portion of the available social graph.

It means that we now have protocols that can begin to put an end to the habit of treating user’s credentials like confetti and instead can offer people the ability to get very specific about they want to share with third parties. And what’s most significant here is that these protocols are open and available for anyone to implement. You don’t have to ask permission; if you want to get involved and do your customers a huge favor, all you have to do is support this work.

To put my … time? … where my mouth is (I haven’t got a whole lot of money to put there) … Steve Ivy and I have embarked on a prototype project to build a social network with its skin inside out. We’re calling it DiSo, or “Distributed Social Networking applications”. The emphasis here is on “distributed”.

In his talk today on Friends List Portability, Joseph Smarr laid out an import set of roles that help to clarify how pieces of applications should be architected:

  • first of all, people have contact details like email addresses, webpage addresses (URLs), instant messaging handles, phone numbers… and any number of these identifiers can be used to discover someone (you do it now when you import your address book to a social networking site). In the citizen-centric model of the world, it’s up to individuals to maintain these identifiers, and to be very intentional about who they share their identifiers with
  • Second, the various sites and social networks you use need to publish your friends and contacts lists in a way that is publicly accessible and is machine readable (fortunately does well there). This doesn’t mean that your friends list will be exposed for all the world to see; using OAuth, you can limit access to pieces of your personal social graph, but the point is that it’s necessary for social sites to expose, for your reuse, the identifiers of the people that you know.

With that in mind, Steve and I have started working on a strawman version of this idea by extending my wp-microformatted-blogroll plugin, renaming it to wp-contactlist and focusing on how, at a blog level, we can expose our own contact list beyond the realm of any large social network.

Besides, this, we’re doing some interesting magic that would be useful for whitelisting and cross-functional purposes, like those proposed by Tim Berners-Lee. Except our goal is to implement these ideas in more humane HTML using WordPress as our delivery vehicle (note that this project is intended to be an example whose concepts should be able to be implemented on any platform).

So anyway, we’re using Will Norris’ wp-openid plugin, and when someone leaves a comment on one of our blogs using OpenID, and whose OpenID happens to be in blogroll already, they’ll be listed in our respective blogroll with an OpenID icon and a class on the link indicating that, not only are they an XFN contact, but that they logged into our blog and claimed their OpenID URL as an identifier. With this functionality in place, we can begin to build add in permissioning functionality where other people might subscribe to my blogroll as a source of trusted commenters or even to find identifiers for people who could be trusted to make typographic edits to blog posts.

With the combination of XFN and OpenID, we begin to be able to establish distributed trust meshes, though the exposure of personal social graphs. As more people sign in to my blog with OpenID and leave approved comments, I can migrate them to my public blogroll, allowing others to benefit from the work I’ve done evaluating whether a given identifier might be a spam emitter. Over time, my reliability in selecting and promoting trustworthy identifiers becomes a source of social capital accrual and you’ll want to get on my list, demonstrating the value of playing the role of identity provider more widely.

This will lead us towards the development of other DiSo applications, which I’ve begun mapping out as sketches on my wiki but that I think we can begin to discuss on the DiSo mailing list.

Blogger Beta offers OpenID; or, I am mine.

Blogger supports OpeniD!

Dave Recordon (and many, many, many others)points out that the Blogger Beta has added support for accepting OpenID for comments.

This is a watershed moment in terms of OpenID’s brief history as it seems to represent a change in the perception and utility of the protocol by a very significant potential proponent.

For once I can say to someone like Google, “No, you don’t know me, you’ve never let me use my own credentials — my own domain — where I’ve built up my reputation — to login to your system before. To date you’ve only let me use your siloed credentials to sign in against your servers… you never trusted me before. Today you’re starting to say, ‘Well, maybe it’s okay for you to tell me who you are using your own credentials.’

Now, don’t think me getting wistful here.

OpenID is far from perfect (as Marshall Kirkpatrick has pointed out). But, with Internet Identity Workshop coming next week, we have a great opportunity to discuss the necessary improvements that need to happen around user experience, around security, around finalization of the protocol and around thinking through what possibilities a more “citizen centric web” might bring.

(Oh, and in case you hadn’t noticed, I like to use Pearl Jam song titles in my blog posts.)

Data banks, data brokers and citizen bargaining power

Sell to me

I wrote this this morning in a notebook as a follow up to my post yesterday… and since I don’t have time to clean it up now, I thought I’d present in raw, non-sensible form. Maybe there’s some value in a rough draft:

It’s like giving our money to a bank and having them turn around and sell our data to try to upsell us on loans and all kind of … oh wait, but the key difference is if we do get fed up, we can take our money out and go elsewhere, depriving the bank the ability to both target us with their partners’ ads and the ability to compound interest on our savings.

We need data brokers introduced into the system — organizations who are like safety deposit receptacles for our data — and who speak all APIs and actually advocate on our behalves for better service based on how “valuable” we are — this is necessary to top the scales in our favor — to reintroduce a balancing force into the marketplace because right now the choice to leave means dissing our friends — but if I’m not satisfied but still want to t talk to my friends, why can’t I be on the outside, but sending messages in? hell I’m willing to pay — in momentary access to my brokered personal profile — for access to my friends inside the silo. This is what Facebook is doing by shutting down so many accounts — it’s not personal — it’s protecting its business. They don’t want to become a myspace cesspool, succumb to empty profiles and Gresham’s Law — overrun with spam profiles and leeches and worthless profile data — a barren wasteland for advertisers who want to connect with that 8% of their customers who make up 32% of their revenue.

No it’s in data fidelity, richness, ironically FB took it upon themselves to weed out the bad from the good in their system-wide sweeps. Unfortunately they got it wrong a bunch of times. If Facebook allowed the export of data and became a data broker for its users — provided some citizen agency to its customers — there would be economic — as well as social — benefits to maintaining a clean and rich profile — beyond just expressiveness to one’s friends. For better or worse, FB users have a lot of benefit through the siloed apps of that F8 platform — but the grand vision should be closer to what Google’s marketing department christened “OpenSocial”… still though , the roles of banker and broker have yet to be made explicit and so we’ve leapt to “data portability” for nerds, forgetting that most people 1) don’t care about this stuff 2) are happy to exchange their data for services as long as their friends are doing it too 3) don’t want to be burdened with becoming their own libertarian banker! Dave Winer might want to keep everything in an XML file on his desktop, but I know few others who, IRL, feel the same way.

Thus concludes my rough notes.

So, if Facebook were perceived as a big Data Bank in the sky, how would that change things? Would people demand the ability to “withdraw” their data? Does the metaphor confuse or clarify? In any case, what is the role of data banks and data brokers? Is there a difference if the data container leverages the data for their own benefit? If they sell advertising and don’t provide a clear or universal means to opt-out? And what’s in the way of making more “benevolent” data vaults a reality — or how do we at least bring the concept into the discussion?

I have no personal interest the concept, only that’s a viable alternative to the siloed approach is missing from the discussion. And going back to the business models of OpenID and other identity providers… well, if any, that’s it. It’s like having a credit card with access to no credit — what’s the point? And OpenID becomes more valuable the more data capital it has access to. Or something like that.

Oh, and I’d like to quote something poignant that Anders Conbere said to me today in chat:

I was talking with my friend the other day and I tried to explain to him, that what I fear about facebook that I don’t fear about pretty much any other vendor is it’s continued developement as a competing platform to the web. a locked in, proprietary version and what I see, is just like Microsoft leveraged Windows as a “platform for application developement” facebook is doing that for web developement. what it offers developers is the simplicity and security of a stable developement environment at the cost of inovation because as we’ve seen, as market share grows, the ability to inovate decreases (since your success is tied to the backwards compatibility of your platform) and I see the possibility of facebook becoming a dominant platform for web application developement which will in turn lead to two decades of stagnation

So yeah, put that in your bonnet and smoke it. Or whatever.